On 07-04-16 04:09, Christoph Anton Mitterer wrote: > Package: igtf-policy-classic > Version: 1.73-1 > Severity: wishlist > > > Hi. > > Currently the package creates symlinks for all files in /etc/grid-security. > It would be nice if one could: > - disable this completely
You can already. The debconf settings for the igtf-policy packages allow for two modes: - install all certificates by default, but exclude a list of hand-picked exceptions. - install none of the certificates by default, just the hand-picked ones. This can be done by running dpkg-reconfigure igtf-policy-classic Or pre-seeding debconf, e.g. igtf-policy-classic igtf-policy-classic/install_profile boolean false igtf-policy-classic igtf-policy-classic/include_ca multiselect NIKHEF > - configure the location where they're created Not sure if your request was meant as OR or AND; it's not hard to implement but the installation in /etc/grid-security/certificates is already a kludge. > The reasons are: > a) Even in grid environments, /etc/grid-security is no longer necessarily a > fixed location, e.g. dcache allows other locations for CA and voms stuff. Not sure if I understand this correctly. Couldn't dcache be told to look in /etc/grid-security/certificates? > b) The following scenario I use at our Tier-2: > - I basically want to have on location where I canonically set up the > trusted > CAs/voms files and where fetch CRL runs. > - all other nodes on the cluster, pull their files from that node, e.g. via > rsync, and deploy it to their respective /etc/grid-security (this is even > done like that by the host, where I keep the canonical repo of the certs. > Why? Well, several reasons: > - one central point where I can remove trusted CAs if I want to OK. > - one central point where fetch-crl runs, which has the minor benefit of > less services running on other nodes, and the major benefit, that it's > guaranteed that all nodes have the same CRLs. > It happens pretty often the the CRL servers fail sometimes and even if > they'd not, I'd want all nodes to have exactly the same CRLs (which is > not fully guaranteed if each of them runs fetch-crl, at possibly > different > times). > Accesses shouldn't be allowed on one node, but denied on another because > of different CRLs. I've not run into this sort of trouble at all; maybe it's worthwhile investigating why fetch-crl is not behaving as expected. Normally CRLs are fetched every 6 hours and they have a lifetime of a week, so complete failures due to CRL expiry are very rare. Your case can actually be covered by setting http_proxy on your nodes and setting up a dedicated caching proxy for the CRLs on the one node that keeps the canonical CRLs and CAs. See also http://wiki.nikhef.nl/grid/FetchCRL3 > Problems with the current way the package installs symlinks to > /etc/grid-security: > - They're all symlinks... so either I still have to install the package on > each node (which again makes it possible that they're out of sync) I *think* you can tell rsync to copy symlinks as files with -L. > - It doesn't work anymore, that the one node that holds the canonical > location > of my trusted CAs (which needs to be /etc/grid-security right now) pulls > his CAs via the same mechanism as all other nodes. I don't understand this. Wasn't this exactly the point of your setup? Cheers, Dennis
